The dnscrypt-proxy service can run as a separate user, and chroot itself into the directory and drop rights. It also makes use of compiler security flags, so it’s PIE enabled, uses full RELRO, and stack protection. It’s pretty cool, but I like to be sure, so enforcing an apparmor profile is always nice.

With this apparmor profile enabled an attacker who compromises DNSCrypt will have absolutely no write access to the file system, and incredibly limited read access. The most viable option at this point is for them to go for a local kernel exploit.

Actually, the file names are “libsodium.a” and “libsodium.la” so I’ve written that out as “libsodium.*a”; there might be a better way to write it, like enumeration or something like “libsodium.l?a” if that’s supported.

1.3.1 no longer includes a custom copy of libsodium. Only 1.3.0 seems to do that.
Since libsodium is not packaged for Ubuntu yet, I’ve packaged 1.3.0 in the PPA for now. I don’t think there are any notable changes in 1.3.1 for Linux, so I didn’t bother to package the library to get it (yet).

The error you get is basically what happens when you have inbound connections denied via UFW/GUFW/IPTables. Not sure what else it could be. But by default Ubuntu doesn’t use any iptables rules that I know of.

Off the top of my head, your profile mentions libsodium in /usr/local/lib twice.

Also, in 1.3.0 it’s “libsodium.a” and “libsodium.la”, not “libsodium.so”, so I can’t use your profile without modifying it. Specifying “libsodium.*” should fix it.

It’s good to see you’ve added IPv6 capabilities, I was about to ask if you’ve tested IPv6. I wonder if it requires any additional CLI parameters to work and if I can just enable it by default in the package.

WordPress is weird. The commit I sent to dnscrypt is for the latest branch, which is 1.3.1, which uses .so so that’s what I’m using. using a .* isn’t a big deal, but I’m not gonna change it for consistency’s sake – if they change back to using .a or .la I’ll change it.

Haven’t tested out ipv6, personally. But ipv6 is fully supported on DNSCrypt.

I’ve packaged libsodium and DNSCrypt 1.3.1 now, and that lets me compile them on Ubuntu Precise! However, AppArmor on Precise complains that there’s no such thing as “capability block_suspend”. Are you sure it’s needed for DNSCrypt to function?

However, turns out that the profile breaks shutdown on Ubuntu 14.04 (and only on 14.04!) even though it doesn’t have the “block_suspend” capability. My attempts to debug this have failed, so I’d really appreciate if you could take a look.

This is a serious bug because it breaks rebooting on remote servers, and the only solution so far is disabling the AppArmor profile, which is obviously a no-go.